Prevents against issues where an account is compromised (say via cookie interception) and then the attacker silently takes over ownership via pw/email changes — now there will at least be a record that something is up

The "Notice of Password Change" and "Notice of Email Change" subject lines sound a bit clunky. A better phrase would be something like "Email Changed" or "Your email address has been changed".

The phrase "If you did not change your password, please contact the Site Administrator at ###ADMIN_EMAIL###" does not make any sense if I am the only user on the site, or if I am the site administrator. How about some logic to only include this line when appropriate? ("Site Administrator" probably shouldn't be capitalised either.)

The "Regards, All at ###SITENAME###" signature is indeed similar to the signature that's present in other emails that get sent out, but again it's not appropriate if I'm the only user on the site. Seeing as this is an automated security information email, and does not actually include the regards of anyone, I think this can be dropped. Maybe just leave the site URL in the signature.

Looking at the limited sample of emails I've received, "Email Address Change" seems to be most often used - it should be short enough to make sense when looking at a phone's inbox.

I'd send the same emails to everyone. Seeing the exact email everyone else is getting is useful and to test user or role dependent emails it's necessary to make a new account. It'd be nice not to have to do that here as this is such a basic feature. It's also a bit of a double check on the admin email address - as this isn't tied to a user, it can be easy to forget to update it when updating your email address if you're the site administrator (or that might just be me...). Agree that changing the capitalisation would be good.

Just chatted with @obenland about this. It not sending the email is expected because the password was specified. Based on sending reset links instead of plain text passwords, this is expected behavior. I think we are all done here based on the original intent of the ticket.